ByteOS Network

NVD Vulnerability Details :

CVE-2026-25099

Analyzed

Source-cvd@cert.pl

Published At-27 Mar, 2026 | 12:16

Updated At-01 Apr, 2026 | 14:16

Bludit’s API plugin allows an authenticated attacker with a valid API token to upload files of any type and extension without restriction, which can then be executed, leading to Remote Code Execution. This issue was fixed in 3.18.4.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	8.7	HIGH	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary	3.1	8.8	HIGH	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Type: Secondary

Version: 4.0

Base score: 8.7

Base severity: HIGH

Vector:

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Type: Primary

Version: 3.1

Base score: 8.8

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CPE Matches

bludit>>bludit>>Versions before 3.18.4(exclusive)

cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:*

Weaknesses

CWE ID	Type	Source
CWE-434	Primary	cvd@cert.pl

CWE ID: CWE-434

Type: Primary

Source: cvd@cert.pl

References

Hyperlink	Source	Resource
https://cert.pl/posts/2026/03/CVE-2026-25099	cvd@cert.pl	Third Party Advisory
https://github.com/bludit/bludit/releases/tag/3.18.4	cvd@cert.pl	Release Notes

Hyperlink: https://cert.pl/posts/2026/03/CVE-2026-25099

Source: cvd@cert.pl

Resource:

Third Party Advisory

Hyperlink: https://github.com/bludit/bludit/releases/tag/3.18.4

Source: cvd@cert.pl

Resource:

Release Notes

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History